OilRig APT Continues Its Ongoing Malware Evolution

OilRig, an APT group believed to have ties to Iran, has been spotted in yet another campaign in the Middle East – this time targeting victims within an undisclosed government using an evolved variant of the BondUpdater trojan.

The group, which is also called Cobalt Gypsy, Crambus, Helix Kitten or PT34, was recently spotted using a reboot of the OopsIE trojan to mine information from other entities in the Middle East. Believed to be a state-sponsored group under the auspices of to the Iranian intelligence agency and the Islamic Revolutionary Guard Corps (IRGC), OilRig’s primary purpose appears to be espionage efforts targeted at financial, aviation, infrastructure, government and university organizations in the MidEast region.

As in the case of the OopsIE-driven attacks, this latest campaign uses an iteration of a previously identified homegrown tool. Palo Alto’s Unit 42 has observed OilRig using spear-phishing emails to deliver an updated version of BondUpdater, a PowerShell-based trojan first used by the group in mid-November 2017.

“The BondUpdater trojan contains basic backdoor functionality, allowing threat actors to upload and download files, as well as the ability to execute commands,” Unit 42 researchers said in a breakdown of the campaign posted Thursday. “BondUpdater, like other OilRig tools, uses DNS tunneling to communicate with its C2 server…[but] it now includes the ability to use TXT records within its DNS tunneling protocol for its C2 communications.”

Unit 42 observed a highly targeted phishing email sent to “a high-ranking office in a Middle Eastern nation” containing a malicious document with a macro responsible for installing a new variant of BondUpdater.

Upon examination, Unit 42 saw that the malware’s installation process involves a VBScript that creates a scheduled task designed to execute every minute, for the sake of persistence. Once established on a targeted machine, BondUpdater was also found to have a new lock file that is used to determine how long the main PowerShell process has been executing; if it has been running for more than 10 minutes, the script will stop the process and delete the lock file, paving the way for a renewed execution of the PowerShell script.

“This suggests the threat actors may have experienced issues with this trojan running for extended periods in the past,” researchers said.

The analysis also showed that the updated malware retains its original command handling and C2 communication functionality, which involves communicating with the C2 server to receive a file and using a character in the filename as the command. The trojan’s command handler checks the trailing character of the filename to see what its orders are: i.e., “0” means run a command, “1” means download a file and any other character means to upload a file.

However, it also includes something new: a TXT-based communication option, which expands the flexibility of the command structure.

“This particular BondUpdater sample includes two different variations of the DNS tunneling protocol, one using DNS A records, and one using DNS TXT records to transmit data from the C2 to the trojan,” the researchers explained. “Depending on whether the C2 communications use DNS A or TXT records, different action types are used when generating the subdomains to notify the C2 what format to use to respond.”

Here, the TXT records signal additional commands, specifically to obtain a filename and the data to write to the file. Once data is written to the file system, this method uses the same command handler as the original method to process the contents of the file based on the trailing character of the filename.

The upshot of the tweaks to the code is that OilRig appears to be in a state of continuous tool development, analogous to the DevOps efforts seen in the legitimate software world.

“Oilrig is a highly diverse and very resourceful threat actor, employing a litany of methods and tools to compromise victims,” Unit 42 researchers said. They added, “As expected, OilRig is continuing their onslaught of attacks well into 2018 with continued targeting in the Middle East. Sometimes developing new tools, OilRig also often uses what has worked in the past, including developing variants of previously used tools and malware. This reduces development time and capitalizes on previous versions of the tool and its success.”